Re: Viewing web content off-line (Apache) - default Oracle install of self-service apps

["Ryan Parr" <ryanparr () thejamescompany com>]

If the Apache binary delivered with Oracle was compiled with DSO (httpd -l
to see the list) then you can use APXS to compile the modules, and they will
install themselves. More info at http://httpd.apache.org.

If not, is it compiled with Oracle mod_* additions which are not freely
available? If not, then just build your own Apache and drop it in.

IMHO your best bet would be one of the Authen/Authz handler combinations. It
sounds like you have all your users under non-authenticated Windows
sessions, which leaves your options limited. If you had NTLM authenticated
users then you could easily implement that protocol, and authenticate users
against your PDC/BDC's. Then you could hook into the Authz phase, and make
sure that people were only able to get what's their's. At least, that's how
I did it with our intranet. No Oracle, but sensitive data served to scores
of people, all needing something different depending on their position in
the company. I'm using Apache, mod_perl, Apache::AuthenNTLM, FreeBSD, and
DBD::Sybase to authorize a user against our MSSQL employee database.

----- Original Message -----
From: "stef" <stefmit () starband net>
To: <security-basics () securityfocus com>
Sent: Monday, October 28, 2002 11:06 AM
Subject: Re: Viewing web content off-line (Apache) - default Oracle install
of self-service apps


> Thank you - but the point I was trying to make was that a browser solution
> relies on clients keeping the setup/configuration as such. A sophisticated
> user could easily change that back to defaults, or whatever else (or even
the
> reg key disabling access to the Advanced tab ... as it is a simple
HKEY_USER
> entry), and take advantage of the other users sharing that PC, leaving
traces
> of their visits. This is why I was looking into a server-based solution.
>
> Speaking of server-based solution I actually came across something I was
> going to try: mod_headers and mod_expires in Apache - presumably able to
> handle the needed cache-control in http (the application-layer protocol),
> rather than in HTML (which would have been very messy ... as I initially
> mentioned in my post, because of the zillion templates needed to have the
> HTML code appended with appropriate Pragmas or Metatags) ... but the
problem
> with this approach (mod_xxx) is that the Apache is delivered by Oracle in
> binary form, thus less lilkely to be able to get the source and recompile
the
> needed modules ... I am still looking, though.
>
> Thx,
> Stef
>
> On Monday 28 October 2002 12:57 pm, you wrote:
> > In IE : Tools\Internet Options\
> > Choose Settings in Temporary Internet File panel and checked every time
you
> > visit page.
> >
> > It seems to solve the problem
> >
> > ----- Original Message -----
> > From: "stef" <stefmit () starband net>
> > To: <security-basics () securityfocus com>
> > Sent: Friday, October 25, 2002 11:14 AM
> > Subject: Viewing web content off-line (Apache) - default Oracle install
of
> > self-service apps
> >
> > > Hi, all,
> > >
> > > A first attempt of mine in posting this was declined by the moderator
as
> > > irrelevant to a security list, so I am trying to reformulate to
emphasize
> > the
> >
> > > fact that the only reason of this post is a security issue: we have
> >
> > started
> >
> > > deploying Oracle self-services in my company (HR-related "modules",
among
> > > others), based on Oracle 9 as database and Apache as web server. The
> >
> > problem> >
> >
> > > is that these applications contain highly confidential data (e.g.
salary
> > > info), and in the areas where the PCs are shared among multiple users,
> > > the availability of pages saved in the history is of great concern.
Here
> > > is
> >
> > what

> > > is happening: after having "visited" the salary information,
regardless
> > > of whether the user exits the application properly, or not, his
> > > information
> >
> > is
> >
> > > available to the next user by simply doing the following:
> > > - in a browser like Microsoft IE - choose "work offline"
> > > - choose then the history menu
> > > - "pick" ("click") on one of the previously visited pages (by other
> > > employees) --> boom - salary info from previous visitor is available
> > >
> > > We are running all this using SSL (obviously in an attempt to avoid
the
> > > damage of traffic sniffing as much as we can) , so we found an easy
> >
> > solution
> >
> > > being the "tweaking" of the browser in the security options, by
checking
> > the
> >
> > > "Do not save encrypted pages to disk" in the Tools --> Internet
options
> > ...
> >
> > > --> Advanced menu (in the IE). We also have knowlegde on how to do
this
> > > "scripted", such that all the browsers get the change, by using a reg
> > > hack deployed through the login srcipt, one containing also removal of
> > > specific rights for regular users changing back this option, BUT I do
not
> > > think
> >
> > this
> >
> > > is a proper way of resolving such a security issue. I think that the
> >
> > solution
> >
> > > should reside on the Apache side, by forcing (somehow) this type of
> > > "caching"/"history kept" from happening. I know the basics of HTML
> >
> > Metatags
> >
> > > or Pragmas in regards to expiration of cache, etc. ... but this is not
> > > the solution I am seeking, as it won't work on dynamically created
pages
> > > - I think there may be a solution using Java bases app(let)s forcing
this
> > > dynamically, such that we could deploy a "hidden" such applet on every
> > > dynamically created page ....
> > >
> > > Sorry for the lengthy posting - in the end the simple question is: has
> > > anybody been faced with this challenge of self-service-like apps,
> >
> > delivered
> >
> > > via Apache-based servers? If yes - how did you resolve the security
> >
> > aspects
> >
> > > such as the one I described above?
> > >
> > > Thx,
> > > Stef